CVE-2025-34101

CRITICAL

Serviio Media Server <1.8 - Command Injection

Title source: llm

Description

An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/42023

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/serviio_checkstreamurl_cmd_exec.rb

View Code ZIP pw:eip

References (6)

[Various Sources] https://fortiguard.fortinet.com/encyclopedia/ips/44042

[Various Sources] https://packetstorm.news/files/id/142387

[Various Sources] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/serviio_checkstreamurl_cmd_exec.rb

[Third Party Advisory] https://vulncheck.com/advisories/serviio-media-server-unauthenticated-command-injection

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/42023

Scores

CVSS v4 9.3

EPSS 0.5394

EPSS Percentile 98.0%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Details

CWE

CWE-20 CWE-306 CWE-78

Status published

Products (1)

Serviio/Media Server 1.4 - 1.8

Published Jul 10, 2025

Tracked Since Feb 18, 2026